H.R. 2124 (110th): Federal Agency Data Breach Protection Act

The text of the bill below is as of May 3, 2007 (Introduced).

Source: GPO

I

110th CONGRESS

1st Session

H. R. 2124

IN THE HOUSE OF REPRESENTATIVES

May 3, 2007

introduced the following bill; which was referred to the Committee on Oversight and Government Reform

A BILL

To amend title 44, United States Code, to strengthen requirements related to security breaches of data involving the disclosure of sensitive personal information.

1.

Short title

This Act may be cited as the Federal Agency Data Breach Protection Act.

2.

Federal agency data breach notification requirements

(a)

Authority of director of Office of Management and Budget To establish data breach policies

Section 3543(a) of title 44, United States Code, is amended—

(1)

by striking and at the end of paragraph (7);

(2)

by striking the period and inserting ; and at the end of paragraph (8); and

(3)

by adding at the end the following:

(9)

establishing policies, procedures, and standards for agencies to follow in the event of a breach of data security involving the disclosure of sensitive personal information and for which harm to an individual could reasonably be expected to result, specifically including—

(A)

a requirement for timely notice to be provided to those individuals whose sensitive personal information could be compromised as a result of such breach, except no notice shall be required if the breach does not create a reasonable risk of identity theft, fraud, or other unlawful conduct regarding such individual;

(B)

guidance on determining how timely notice is to be provided; and

(C)

guidance regarding whether additional special actions are necessary and appropriate, including data breach analysis, fraud resolution services, identity theft insurance, and credit protection or monitoring services.

.

(b)

Authority of chief information officer To enforce data breach policies and develop and maintain inventories

Section 3544(a)(3) of title 44, United States Code, is amended—

(1)

by inserting after authority to ensure compliance with the following: and, to the extent determined necessary and explicitly authorized by the head of the agency, to enforce;

(2)

by striking and at the end of subparagraph (D);

(3)

by inserting and at the end of subparagraph (E); and

(4)

by adding at the end the following:

(F)

developing and maintaining an inventory of all personal computers, laptops, or any other hardware containing sensitive personal information;

.

(c)

Inclusion of data breach notification in agency information security programs

Section 3544(b) of title 44, United States Code, is amended—

(1)

by striking and at the end of paragraph (7);

(2)

by striking the period and inserting ; and at the end of paragraph (8); and

(3)

by adding at the end the following:

(9)

procedures for notifying individuals whose sensitive personal information is compromised consistent with policies, procedures, and standards established under section 3543(a)(9) of this title.

.

(d)

Authority of agency chief human capital officers To assess federal personal property

Section 1402(a) of title 5, United States Code, is amended—

(1)

by striking , and at the end of paragraph (5) and inserting a semicolon;

(2)

by striking the period and inserting ; and at the end of paragraph (6); and

(3)

by adding at the end the following:

(7)

prescribing policies and procedures for exit interviews of employees, including a full accounting of all Federal personal property that was assigned to the employee during the course of employment.

.

(e)

Sensitive personal information definition

Section 3542(b) of title 44, United States Code, is amended by adding at the end the following new paragraph:

(4)

The term sensitive personal information, with respect to an individual, means any information about the individual maintained by an agency, including—

(A)

education, financial transactions, medical history, and criminal or employment history;

(B)

information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records; or

(C)

any other personal information that is linked or linkable to the individual.

.